API-first identity scaling: what it means for IAM teams

TL;DR: External API expansion is an identity problem as much as an architecture problem, because partner access, onboarding, and traffic control must be designed together. Power Dynamic Technology used Kong Konnect on Azure to build a self-service API developer portal for SecureID, adding secure API exposure, built-in plugins, and scaling support for a platform serving millions, according to Kong.

NHIMG editorial — based on content published by Kong: How Power Dynamic Technology Scaled SecureID with Kong Konnect and Azure Cloud

Questions worth separating out

Q: How should teams govern third-party access to identity platform APIs?

A: Teams should govern third-party access as a lifecycle problem, not a one-time integration task.

Q: Why do API gateways matter for IAM programmes?

A: API gateways matter because they sit on the request path and can enforce identity and usage policy before traffic reaches core services.

Q: What breaks when partner API access is managed outside IAM?

A: When partner access sits outside IAM, teams lose visibility into who was approved, what they can reach, and when that access should end.

Practitioner guidance

• Define a joint API and identity onboarding workflow Tie partner registration, credential issuance, approval, and revocation into one documented workflow so third-party access can be retired cleanly when trust ends.
• Enforce gateway-level authentication and rate limits Place authentication, quota enforcement, and throttling at the gateway so downstream identity services are not the first line of defence against abuse.
• Review policy drift across Azure and adjacent environments Compare auth rules, certificate handling, and observability settings across every environment where the API is exposed, then standardise the ruleset before expansion.

What's in the full article

Kong's full customer story covers the operational detail this post intentionally leaves for the source:

• How SecureID's team connected Kong Konnect to Microsoft Azure for deployment and traffic control.
• The specific plugin-driven features used for authentication, observability, transformations, and rate limiting.
• Why the team chose a self-service portal model for third-party developers and how it shaped onboarding.
• How Kong's control plane was positioned to support scaling across Europe without rebuilding the platform from scratch.

👉 Read Kong's customer story on scaling SecureID with Kong Konnect and Azure →

API-first identity scaling: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →